The latest dev version is the most stable and best performing for SSL. Do you mandatory need splicing? Can't you simply disable it ??
cheers On Wed, Jan 9, 2013 at 1:05 PM, Christian Becker <[email protected]> wrote: > > On 09.01.2013, at 01:15, Baptiste <[email protected]> wrote: > >> Hi, >> >> You should NEVER ever change 2 core stuff in your architecture in the >> mean time!!!! >> First upgrade HAProxy, then later upgrade the kernel.... So if you >> have an issue, it would be easier to track which component triggered >> it. >> In your case, it's quite easy, as everybody mentioned, it is the kernel... >> So first advice, use your old kernel and install a new one on a >> pre-prod machine and run your benchmarks... Then you'll be able to >> help the kernel devs to fix the issue without impacting your >> production. >> >> cheers >> > > You´re right, upgrading both at the same time showed to be a bad idea! > > In the mean time i´ve downgraded to the old kernel, but the performances > issues persist. So this seems to be a issue in haproxy. > > Currently only the initial Warnings i´ve posted are related to the new > kernel, but the high system cpu in conjunction with splicing is haproxy > related. > > As i´ve previously mentioned we´re currently running dev7 on production but > need SSL Offloading for some of the frontends, any suggestions for a stable > haproxy version? Or should be use stunnel to offload until the current issues > are resolved? > >> Good catch. The issue does sound different though; Willy didn't report >> any kernel warnings, it was "just" bad tcp splicing performance. >> >> Anyway, you could apply Eric's fix from [1] to double check. >> >> Furthermore you could also try to revert commit 2f53384 >> (tcp: allow splice() to build full TSO packets) which seems to be a >> troublemaker since 3.5 by applying the patch in [2]. >> >> Based on your results you can then start a new thread on netdev, >> or report it to the existing thread (if fix [1] works for you). >> >> [1] http://marc.info/?l=linux-kernel&m=135749883713440&w=2 >> [2] http://marc.info/?l=linux-kernel&m=135748750110338&w=2 > > As i previously wrote, the performance issues are related to haproxy. I´ve > tested the fix from Eric and it hat no effect at all. > > Anyway i´ll post the warnings to the netdev list, maybe they can fix them. > > Regards, > Christian
